Record year for security breaks expected

(IDG) -- The government and the private sector need to prepare for what will likely be a record-setting year ahead for Internet security incidents, a panel of industry experts recently told Congress.

The CERT Coordination Center at Carnegie Mellon University in Pittsburgh estimates that the number of security incidents reported this year will surpass 40,000, more than twice the number of incidents reported last year. And not only is that number likely to increase next year, but such incidents also have the potential to bloom into serious threats similar to the "Code Red" or "Nimda" worms, which damaged hundreds of thousands of systems and cost companies more than $1 billion.

"The threat is critical," said Dave McCurdy, executive director of the Arlington, Va.-based Internet Security Alliance, speaking at a November 15 House subcommittee hearing on cybersecurity.

McCurdy told the committee that because 80 percent of the major security vulnerabilities are common to all organizations, the past four significant Internet worm attacks have cost companies more than $10 billion in repairs and lost productivity.

McCurdy also criticized the "reactive" nature of the responses to security threats and said a more proactive approach is desperately needed.

Mark Doll, a security analyst at Ernst & Young LLP in San Jose, agreed that more should be done to encourage companies, individuals and the government to take action on improving security. "Most companies lack the necessary rigor and scale of recovery systems to respond to a national attack or a cohesive cyberterrorism threat," said Doll.

In fact, a CIO magazine survey of 150 CIOs found that 40% of companies still don't have cybersecurity experts on staff or under contract.

Warren Axelrod, director of Global Information Security at the Pershing Division of Jersey City, N.J.-based Donaldson, Lufkin and Jenrette Securities Corp., put the onus on Congress, urging lawmakers to subsidize the creation of separate, secure intranets for the government; provide funding for a permanent Information Coordination Center similar to the one established for the year 2000 problem; and pass legislation exempting sensitive corporate information that's shared with the government from disclosure under the Freedom of Information Act.

"I recognize that I am proposing a costly series of programs at a time when budgets are tight," said Axelrod. "It will be a long and bitter battle, but we must engage in it if we are to prevail."

The government, however, tends to view private-sector participation in terms of sectors or "stovepipes," which creates barriers to true information sharing, McCurdy said.

Mary Ann Davidson, director of security product management at Oracle Corp., turned the spotlight on IT users and consumers. "They must make security a purchasing criterion," she said. "If you do not make it a purchasing criterion, you lose the right to complain afterwards if you've been hacked."

Likewise, vendors need to join an industry information-sharing organization, Davidson said, adding, "Either we hang together or we all hang separately."